Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Host name in inputs.conf file

skibum
Engager
‎05-21-2010 05:49 PM

I am trying to use a host name in the stanza [udp://foo.514] but the name is not taking, on the same subject if I have [udp://514] hostname = foo

this is ignored?

Is this just because I am using udp instead of tcp?

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-22-2010 01:05 AM

Correct. It does not work with UDP, since there are no "connections" on a UDP port. However, I am not certain that this would do what you might be thinking it does. Please elaborate on what you would like this setting to actually do.

Reply

Genti
Splunk Employee
Splunk Employee
‎05-21-2010 10:50 PM

.#* .# TCP: .#*

[tcp://:] .* Configure Splunk to listen on a specific port. .* If a connection is made from , this stanza is used to configure the input. .* If is blank, this stanza matches all connections on the specified port.

.#* .# UDP: .#*

[udp://] .* Similar to TCP, except that it listens on a UDP port.

all options that work for TCP should work for UDP as well. I believe your syntax might be a bit off though. Check the config file instructions:

.# The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10. .# All data is assigned the host "webhead-1", the sourcetype "access_common" and the .# the source "//10.1.1.10/var/log/apache/access.log."

[tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log

  • need to use foo:514
  • need to use host = foo

Lastly, if you actually want to see it being indexed as host = foo instead of host = 1.2.3.4 you need to set the flag connection_host = none

.gz

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎05-21-2010 08:27 PM

There are a few places the host value may be set.
Is your inputs.conf on the indexer?

Beyond inputs.conf, host values can also be set using props.conf & transforms.conf.
You can extract the host value from the syslog message too.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...